The Asia Pacific Network Information Centre (APNIC), the internet registry for the region, has admitted it left at least a portion of its Whois SQL database, which contains sensitive information, facing the public internet for three months during maintenance activity on Registration Data Access Protocol set to replace Whois
During that maintenance effort, a dump from APNIC’s Whois SQL database was copied to a Google Cloud storage bucket and APNIC only learned it was accessible to the public when an independent security researcher tipped it off to the problem
The file in the exposed bucket “contained hashed authentication details for APNIC whois maintainer and IRT objects, and also included some private whois objects that are not visible on APNIC’s regular public whois service”. Hashed passwords are been use to protect thr APNIC’s Database and only authorised can access the records and do a change
The data contained in the private objects varies, as there were comments added by resource holders in the ‘descr’ and ‘remarks’ attributes. The review of this data has found that it predominantly consists of corporate contact details.
APNIC has reset passwords, advised all stakeholders whose data was at risk, apologised and taken steps to prevent in future. The organisation also pointed out that users with a MyAPNIC account have nothing to worry about, and don’t need to change their passwords, as the exposed data only concerned maintainers and a small group of other users.